Michael Ehart on IT security, enforcement, etc.
From an on-line forum where I am a moderator
comes this question from someone worried about
IT security:
"I was asked this question, and I'm not quite sure
how to answer it. 'Where does one turn when they see
a complete disregard and lack of importance in the
compliance for HIPAA security? The privacy rules are
basically followed. But on the technology side, they
have policies in place that are just not followed,
upper management has stated behind closed doors that
HIPAA and security really aren't that important.
There really is no one who is the HIPAA security
officer. HR is the HIPAA privacy officer. And no one
in the healthcare facility will take the issues
seriously - even when approached by their own IT
about its importance.'"
Where do they turn, and how do they go about it
while keeping their job?
The problem is, of course, that enforcement has been
criminally lax. But recently there has been a new
emphasis on enforcement, not just of HIPAA but of
Sarbane-Oxley and other regulations and there are
going to be companies that are going to become the
big, awful example. In the past very little was done
when someone was found to be out of compliance, but
recent news
suggests that the tide is turning.
One of the most compelling reasons to follow the
various regulatory rules is that they are generally
best practices anyway. The time to protect yourself
is not after you have already been exposed. Of
course, one of the first steps to getting totally
compliant is making certain that primary systems are
compliant, which is certainly one of the things we
work hardest on here at InsynQ.
All it would take would for there to be a big data
loss, and those same scofflaws would be scrambling
to save their behinds. The risk of exposure is real,
the dangers are extreme, and the risk to jobs, the
economic strength of the facility, and the possible
irreparable PR disaster of a major data loss is not
in any way worth not following procedures. Along
with your regular local backups, for example,
companies who are hosted by us have a secure,
secondary backup of data that is hosted by us,
making for an additional layer of assurance.
Of course, it is important to make certain that the
procedures and policies don't interfere with the
business at hand. Frontliners are notoriously
hostile to extra steps that seem to make their
primary mission more difficult. Your procedures need
to be as transparent to the end user as possible, or
they will be disregarded, bypassed or ignored.
Visit Michael's blog - ComPlyWithMe
Document Management - Storage and Retention
In today's highly regulated environment,
professional accounting firms need to protect
their own business information as well as their
clients' data. Without the use of an Electronic
Document Management System (EDMS) it is nearly
impossible to meet the standards set forth in
Sarbanes-Oxley, HIPPA, and by other regulatory
bodies. The Acct1st application, the foundation
of the docs.cpaasp system, provides the
professional firm with the ability to set
security, retention schedules, perform file
audits and more easily locate potential problems
or compliance issues before they occur.
A true records management system, docs.cpaasp from
Acct1st and e-Accounting has the ability to control
the lifecycle of both electronic files and paper
documents in your
practice.
- Retention/Disposition Schedules
- Record Holds
- Document Spawning/Reconciliation
- Box Tracking
- Audit Logs and Document History
docs.cpaasp from e-Accounting and Acct1st
Recently, in the ongoing Intel-AMD antitrust
lawsuit, Intel was unable to come up with some
1,000 e-mails judged to be in evidence by the
federal court.
High-profile litigation involving Oracle-SAP and the
White House have brought the topic of e-mail
archiving and retrieval to the attention of business
owners, many of whom are now installing-or planning
to install-some kind of e-mail archiving mechanism.
|
